All Products
Search
Document Center

A "You are denied by bucket referer policy" error occurs when accessing OSS resources after OSS hotlinking protection is set up.

Last Updated: Sep 23, 2021

Challenge

To prevent Alibaba Cloud OSS resources from being embezzled by others, the following error occurs when you access a resource URL in a bucket after OSS hotlink protection is set.

<Code>AccessDenied</Code>
<Message>You are denied by bucket referer policy.</Message>

Cause

The reason for the error is that the bucket is configured with hotlink protection, and the Referer carried when requesting the URL does not meet the hotlink protection settings. The possible reasons are as follows:

  • The Referer field is empty. The request header does not contain the Referer field or the Referer field is empty.
  • Referer is not within the specified Referer range or is in the wrong format.

Modification method

Referer errors are generally site-based applications. If an access error occurs after hotlinking protection is set, you can perform the following corresponding operations for troubleshooting:

  1. After you clear the browser cache, we recommend that you perform debugging based on the access end and analyze the cause of the specific error.
    • If you are on a PC, you can view the Referer of the header in your browser. For example, in Chrome Browser, press the keyboard F12 to open the developer tools. In the Network, see the referers carried by specific requests.
    • If it is mobile access, it needs to rely on PC hotspot. The mobile terminal can use winshark or fidder to grab packets and analyze the Referer carried in the Headers of Request in the specific request URL. At present, some browsers may force Referer to be empty in the mobile terminal to access the page, which will lead to the normal PC terminal access while the mobile terminal cannot access the page. Specific packet capture analysis is required.
  2. According to the analysis results, perform the following operations:
    • The Referer parameter is empty. If the request header does not contain the Referer field or the Referer field is empty, see Configure hotlink protection.
      1. Log on to the OSS console, click Buckets, and then click the name of the target bucket.
      2. Click Permissions > Anti-leech. In the Anti-leech section, click Settings to configure the anti-leech feature for the bucket. For more information about how to use wildcard characters when you configure Referer, see Hotlink protection.
    • If the Referer is not in the specified range or the format is incorrect, note the following points:
      • Confirm whether to http:// or https:// the configuration.
      • a.example.com and b.example.com, matching the http://*.example.com or http://?.example.com.
      • The example.com is matched to the http://example.com, not the http://*.example.com.
      • If the Referer format is incorrect, the Referer configuration must contain a http:// or https://, otherwise it is invalid. For example, the b.example.com is invalid.

  3. If the problem persists after you perform the following steps, see OSS hotlink protection configuration and common error troubleshooting methods for further troubleshooting.

Applicable scope

  • Object Storage Service (OSS)